Running Yara rules using C-API in SGX enclave

Harris__David — Sun, 18 Nov 2018 17:03:05 GMT

Hello,

I'm trying to see if I can run memory-resident Yara rule-matching (C-API) functions in the SGX enclave. I'm getting the following linking errors that seem to indicate I need to recompile the Yara baseline as position-independent code before it will link to the enclave code.

++++++++++++++++++++

11:34:02 **** Build of configuration Intel(R) SGX Simulation Debug for project non_sgx_empty_proj ****
make SGX_DEBUG=1 SGX_MODE=SIM -f sgx/Makefile all
make -C ./sgx/enclave_yara_enclave -f sgx_u.mk all;
make[1]: Entering directory `/home/developer/eclipse-workspace/non_sgx_empty_proj/sgx/enclave_yara_enclave'
GEN => untrusted/yara_enclave_u.c
CC   <= untrusted/yara_enclave_u.c
CXX <= untrusted/sample.c
LINK => sample
make[1]: Leaving directory `/home/developer/eclipse-workspace/non_sgx_empty_proj/sgx/enclave_yara_enclave'
make -C ./sgx/enclave_yara_enclave    -f sgx_t.mk all;
make[1]: Entering directory `/home/developer/eclipse-workspace/non_sgx_empty_proj/sgx/enclave_yara_enclave'
GEN => trusted/yara_enclave_t.c
CC   <= trusted/yara_enclave_t.c
CC <= trusted/yara_enclave.c
/usr/bin/ld: /usr/local/lib/libyara.a(tests.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(pe.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(elf.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(math.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(time.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(pe_utils.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(cuckoo.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(magic.o): relocation R_X86_64_32S against undefined hidden symbol `cached_mime_types' can not be used when making a shared object
make[1]: Leaving directory `/home/developer/eclipse-workspace/non_sgx_empty_proj/sgx/enclave_yara_enclave'
/usr/bin/ld: /usr/local/lib/libyara.a(hash.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(dotnet.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(grammar.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(ahocorasick.o): relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(arena.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(atoms.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(bitmask.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(compiler.o): relocation R_X86_64_32 against hidden symbol `yr_object_destroy' can not be used when making a shared object
/usr/bin/ld: /usr/local/lib/libyara.a(exec.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(lt1-hash.o): relocation R_X86_64_32S against hidden symbol `byte_to_int32' can not be used when making a shared object
/usr/bin/ld: /usr/local/lib/libyara.a(hex_grammar.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(hex_lexer.o): relocation R_X86_64_32 against undefined hidden symbol `yr_recovery_state_key' can not be used when making a shared object
/usr/bin/ld: /usr/local/lib/libyara.a(lexer.o): relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(libyara.o): relocation R_X86_64_32S against undefined hidden symbol `yr_altercase' can not be used when making a shared object
/usr/bin/ld: /usr/local/lib/libyara.a(modules.o): relocation R_X86_64_32 against hidden symbol `yr_modules_table' can not be used when making a shared object
/usr/bin/ld: /usr/local/lib/libyara.a(object.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(parser.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(proc.o): relocation R_X86_64_32S against symbol `yr_process_get_first_memory_block' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(re.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(re_grammar.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(re_lexer.o): relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(rules.o): relocation R_X86_64_32S against `.text' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(scan.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: /usr/local/lib/libyara.a(scanner.o): relocation R_X86_64_32S against undefined hidden symbol `exc_jmp_buf' can not be used when making a shared object
/usr/bin/ld: /usr/local/lib/libyara.a(linux.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: error: ld returned 1 exit status
make[1]: *** [yara_enclave.so] Error 1
make: *** [all] Error 2

11:34:02 Build Failed. 36 errors, 0 warnings. (took 369ms)

++++++++++++++++

The auto-generated makefile I'm using is below - what I added is in bold:

*********************************************************************************************

######## Intel(R) SGX SDK Settings ########
SGX_SDK ?= /opt/intel/sgxsdk
SGX_MODE ?= SIM
SGX_ARCH ?= x64

ifeq ($(shell getconf LONG_BIT), 32)
SGX_ARCH := x86
else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32)
SGX_ARCH := x86
endif

ifeq ($(SGX_ARCH), x86)
   SGX_COMMON_CFLAGS := -m32
   SGX_LIBRARY_PATH := $(SGX_SDK)/lib
   SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign
   SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r
else
   SGX_COMMON_CFLAGS := -m64
   SGX_LIBRARY_PATH := $(SGX_SDK)/lib64
   SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign
   SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r
endif

ifeq ($(SGX_DEBUG), 1)
ifeq ($(SGX_PRERELEASE), 1)
$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!)
endif
endif

ifeq ($(SGX_DEBUG), 1)
SGX_COMMON_CFLAGS += -O0 -g
else
SGX_COMMON_CFLAGS += -O2
endif

ifneq ($(SGX_MODE), HW)
   Trts_Library_Name := sgx_trts_sim
   Service_Library_Name := sgx_tservice_sim
else
   Trts_Library_Name := sgx_trts
   Service_Library_Name := sgx_tservice
endif

Crypto_Library_Name := sgx_tcrypto

Yara_enclave_C_Files := trusted/yara_enclave.c
Yara_enclave_Include_Paths := -IInclude -Itrusted -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx -I/usr/local/include

Flags_Just_For_C := -Wno-implicit-function-declaration -std=c11
Common_C_Cpp_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -fstack-protector $(Yara_enclave_Include_Paths) -fno-builtin-printf -I.
Yara_enclave_C_Flags := $(Flags_Just_For_C) $(Common_C_Cpp_Flags)

Yara_enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \
   -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \
   -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \
   -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \
   -Wl,-pie,-eenclave_entry -Wl,--export-dynamic \
   -Wl,--defsym,__ImageBase=0 \
   -Wl,--version-script=trusted/yara_enclave.lds \
   -L/usr/local/lib \
   -Wl,--whole-archive -lyara

Yara_enclave_C_Objects := $(Yara_enclave_C_Files:.c=.o)

ifeq ($(SGX_MODE), HW)
ifneq ($(SGX_DEBUG), 1)
ifneq ($(SGX_PRERELEASE), 1)
Build_Mode = HW_RELEASE
endif
endif
endif

.PHONY: all run

ifeq ($(Build_Mode), HW_RELEASE)
all: yara_enclave.so
   @echo "Build enclave yara_enclave.so [$(Build_Mode)|$(SGX_ARCH)] success!"
   @echo
   @echo "*********************************************************************************************************************************************************"
   @echo "PLEASE NOTE: In this mode, please sign the yara_enclave.so first using Two Step Sign mechanism before you run the app to launch and access the enclave."
   @echo "*********************************************************************************************************************************************************"
   @echo
else
all: yara_enclave.signed.so
endif

run: all
ifneq ($(Build_Mode), HW_RELEASE)
@$(CURDIR)/app
@echo "RUN => app [$(SGX_MODE)|$(SGX_ARCH), OK]"
endif

######## yara_enclave Objects ########

trusted/yara_enclave_t.c: $(SGX_EDGER8R) ./trusted/yara_enclave.edl
@cd ./trusted && $(SGX_EDGER8R) --trusted ../trusted/yara_enclave.edl --search-path ../trusted --search-path $(SGX_SDK)/include
@echo "GEN => $@"

trusted/yara_enclave_t.o: ./trusted/yara_enclave_t.c
@$(CC) $(Yara_enclave_C_Flags) -c $< -o $@
@echo "CC <= $<"

trusted/%.o: trusted/%.c
@$(CC) $(Yara_enclave_C_Flags) -c $< -o $@
@echo "CC <= $<"

yara_enclave.so: trusted/yara_enclave_t.o $(Yara_enclave_C_Objects)
@$(CXX) $^ -o $@ $(Yara_enclave_Link_Flags)
@echo "LINK => $@"

yara_enclave.signed.so: yara_enclave.so
   @$(SGX_ENCLAVE_SIGNER) sign -key trusted/yara_enclave_private.pem -enclave yara_enclave.so -out $@ -config trusted/yara_enclave.config.xml
   @echo "SIGN => $@"
clean:
   @rm -f yara_enclave.* trusted/yara_enclave_t.* $(Yara_enclave_C_Objects)

**************************************************************************************************************

Just wondering, short of recompiling Yara as position-independent code, whether there's another change I need to make in the makefile to compile Yara into the enclave code. Thanks.

Some additional info - I

Harris__David — Mon, 19 Nov 2018 16:28:42 GMT

Some additional info - I reran the ./configure script as ./configure --with-pic --enable-crypto --enable-dotnet --enable-magic --enable-cuckoo --with-crypto to include "--with-pic". Yara, of course compiled, but when attempting to link libyara.a using the given makefile, additional errors were produced. A snapshot of those errors, below seems to indicate basic c standard library are no longer locatable in the libyara object files.

make SGX_DEBUG=1 SGX_MODE=SIM -f sgx/Makefile all
make -C ./sgx/enclave_Intrusions_Enclave -f sgx_u.mk all;
make[1]: Entering directory `/home/dave/eclipse-workspace/SGX_Proj2/sgx/enclave_Intrusions_Enclave'
GEN => untrusted/Intrusions_Enclave_u.c
CC   <= untrusted/Intrusions_Enclave_u.c
CXX <= untrusted/sample.c
LINK => sample
make[1]: Leaving directory `/home/dave/eclipse-workspace/SGX_Proj2/sgx/enclave_Intrusions_Enclave'
make -C ./sgx/enclave_Intrusions_Enclave    -f sgx_t.mk all;
make[1]: Entering directory `/home/dave/eclipse-workspace/SGX_Proj2/sgx/enclave_Intrusions_Enclave'
GEN => trusted/Intrusions_Enclave_t.c
CC   <= trusted/Intrusions_Enclave_t.c
CC <= trusted/Intrusions_Enclave.c
/usr/local/lib/libyara.a(lexer.o): In function `yara_yyfatal':
lexer.c:(.text+0x819): undefined reference to `longjmp'
/usr/local/lib/libyara.a(lexer.o): In function `yara_yylex':
lexer.c:(.text+0x15db): undefined reference to `stdin'
lexer.c:(.text+0x15eb): undefined reference to `stdout'
lexer.c:(.text+0x18f4): undefined reference to `strtoll'
lexer.c:(.text+0x19a7): undefined reference to `strtod'
lexer.c:(.text+0x19eb): undefined reference to `strtoll'
lexer.c:(.text+0x1a23): undefined reference to `strstr'
lexer.c:(.text+0x1ad2): undefined reference to `strstr'
lexer.c:(.text+0x1aea): undefined reference to `strstr'
lexer.c:(.text+0x1b02): undefined reference to `strstr'
lexer.c:(.text+0x1e9e): undefined reference to `fwrite'
lexer.c:(.text+0x2479): undefined reference to `__isoc99_sscanf'
lexer.c:(.text+0x29d5): undefined reference to `_IO_getc'
lexer.c:(.text+0x2a0b): undefined reference to `ferror'
lexer.c:(.text+0x2b5a): undefined reference to `strstr'
lexer.c:(.text+0x2b9f): undefined reference to `strstr'
lexer.c:(.text+0x2bb3): undefined reference to `strstr'
lexer.c:(.text+0x2c75): undefined reference to `snprintf'
lexer.c:(.text+0x2d05): undefined reference to `strrchr'
lexer.c:(.text+0x2f15): undefined reference to `ferror'
lexer.c:(.text+0x2f4e): undefined reference to `clearerr'
lexer.c:(.text+0x2f86): undefined reference to `fread'
/usr/local/lib/libyara.a(lexer.o): In function `yr_lex_parse_rules_string':
lexer.c:(.text+0x30db): undefined reference to `_setjmp'
/usr/local/lib/libyara.a(lexer.o): In function `yr_lex_parse_rules_file':
lexer.c:(.text+0x31bb): undefined reference to `_setjmp'
/usr/local/lib/libyara.a(lexer.o): In function `yr_lex_parse_rules_fd':
lexer.c:(.text+0x3260): undefined reference to `_setjmp'
lexer.c:(.text+0x328f): undefined reference to `__fxstat'
lexer.c:(.text+0x32e4): undefined reference to `read'

etc....

These appear to be C library functions that the Yara baseline code is not finding e.g., (pe_utils.c:(.text+0x54c): undefined reference to `sprintf') when linked into SGX C libraries. Does this mean I'd have to attempt to recompile the Yara using the SGX C libraries?

David, happy to chat and see

Michalevsky__Yan — Mon, 19 Nov 2018 18:10:45 GMT

David, happy to chat and see if we can be helpful with it. yan@anjuna.io.

Thanks, Yan. I may take you

Harris__David — Tue, 20 Nov 2018 21:26:00 GMT

Thanks, Yan. I may take you up on that. I've been reading up on the GNU build process the Yara baseline and optional tools use and am thinking about adding something that will recognize and point to an actual or default SGX baseline in the configure.ac or Makefile.am files. Still working out where that belongs in the build tool chain. I may have to generate some kind of file that will become OCALL stubs in an edl for Yara-related calls not supported by SGX.

topic Some additional info - I in Intel® Software Guard Extensions (Intel® SGX)

Running Yara rules using C-API in SGX enclave

Some additional info - I

David, happy to chat and see

Thanks, Yan. I may take you